Using secured actions is a 2-step process. You must first generate a link with the security key, and then later verify that key when the user clicks on the action that will execute a file function in the
action/ directory.
{{{The securiser_action() function}}}
This
securiser_action function, stored in the
ecrire/inc/securiser_action.php file, creates or verifies an action. During creation, depending on the
$mode argument, it will create a URL, a form or simply return an array with the requested parameters and the generated key. During verification, it compares the elements submitted with a GET (URL) or POST (form) and kills the script with an error message and
exits if the key does not match the current author.
{{{Generating a key}}}
To generate a key, you need to call the function with the right parameters:
$securiser_action = charger_fonction('securiser_action','inc');
$securiser_action($action, $arg, $redirect, $mode);
These four parameters are the main ones used:
-*
$action is the name of the action file and the corresponding action(
action/name.php and the associated function
action_name_dist())
-*
$arg is a passed argument, for example
supprimer/article/3 which will be used, among other things, to generate the security key.
-*
$redirect is a URL for redirection after the action has been performed.
-*
$mode indicates what should be returned:
-**
false: a URL
-**
-1: an array of parameters
-** a content text: a form to be submitted (the content is then added into the form)
{{{Inside an action, verifying and retrieving the argument}}}
Within an action function (
action_name_dist()), we verify the security key by calling the function without an argument. It returns the argument (otherwise displays an error and kills the script):
$securiser_action = charger_fonction('securiser_action','inc');
$arg = $securiser_action();
// from here on, we know that the author is the right person!